They just wanted their snacks. They didn’t expect their chips and chocolate bars to cost an arm and a leg–or, in this case, a fingertip.
Last week, a food kiosk vendor announced a breach that cost 1.6 million of its customers more than just their credit card data–hackers had also stolen their fingerprints. This breach wasn’t the first instance of biometric data theft; even the Federal Government has been targeted, with the Office of Personnel Management losing 5.6 million fingerprints in 2015.
The loss of biometric data isn’t a problem that’s going away. As companies try to move beyond inconvenient and insecure passwords, they are increasingly turning to biometrics. Adoption is growing so rapidly that 3.2 billion users are predicted by 2020. End users are on board with this development, not just because they love the convenience of fingerprint readers and retinal scanners, but also because a vast majority of people feel that biometrics are more secure than passwords.
Unfortunately, they are wrong.
Hacked once, hurt forever
When credit card data is stolen, the problem for the cardholder is limited in scope. The damage usually ends within the same billing cycle, either when the card processor’s system sends an alert regarding fraudulent activity or the cardholder sees unauthorized purchases on the next billing statement. The card is changed and the bleeding stops.
Biometric data is different. Once captured, the image of a fingerprint, retina, or iris is converted into the usual bits and bytes of computer-readable code–and that code can be stolen in the same ways any code can be stolen. Once biometric data is gone, it’s gone forever; a fingerprint or an eyeball can’t be reset, so victims will have to manage the impact for the rest of their lives.
Despite the risks, however, biometrics are a useful tool in authentication strategies. They just need to be thoughtfully integrated into a broader security program.
The genie is out of the bottle
Authentication has always been tough, and modern business requirements have made it tougher. Organizations that want to remain competitive have no choice but to allow vendors and partners access to their networks. Yet once that access has been allowed, it’s hard to control. An organization may issue a login to a third party vendor, never knowing that the login—along with an admin account—is shared among many and possibly even stored openly. Poor security hygiene is a problem biometrics can’t solve.
Instead, organizations need to take a satellite view of their data protection strategy. Know exactly who has access and determine whether they need all of that access. Take a look at the data being collected and stop collecting any that isn’t absolutely necessary. Institute a strong vendor management program based on a reliable inventory of vendors, a consistent approval workflow, and a review of a vendor’s security practices each time a contract comes up for renewal.
Notice that all of these best practices are based on organizational processes, not biometrics. Real security begins with a thoughtful approach to managing all types of network users, especially the third party vendors with elevated credentials. Biometrics belong in the mix, but they are not the silver bullet that will solve every authentication problem.
Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.